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Abstract 

The  validity  problem  for  certain  universal  Horn  formulas  of  Kleene  algebra  with 
tests  (KAT)  can  be  efficiently  reduced  to  the  equational  theory.  This  reduction  is 
known  as  elimination  of  hypotheses .  Hypotheses  are  used  to  describe  the  interaction 
of  atomic  programs  and  tests  and  are  an  essential  component  of  practical  program 
verification  with  KAT.  The  ability  to  eliminate  hypotheses  of  a  certain  form  means 
that  the  Horn  theory  with  premises  of  that  form  remains  decidable  in  PSPACE.  It 
was  known  (Cohen  1994,  Kozen  and  Smith  1996,  Kozen  1997)  how  to  eliminate 
hypotheses  of  the  form  q  =  0.  In  this  paper  we  show  how  to  eliminate  hypotheses 
of  the  form  cp  =  c  for  atomic  p.  Hypotheses  of  this  form  are  useful  in  eliminating 
redundant  code  and  arise  quite  often  in  the  verification  of  compiler  optimizations 
(Kozen  and  Patron  2000). 


1  Introduction 

Kleene  algebra  with  tests  (KAT),  introduced  in  [12],  is  an  equational  system  for  program 
verification  that  combines  Kleene  algebra  (KA)  with  Boolean  algebra.  KAT  has  been 
applied  successfully  in  various  low-level  verification  tasks  involving  communication  pro¬ 
tocols,  basic  safety  analysis,  source-to-source  program  transformation,  concurrency  con¬ 
trol,  and  compiler  optimization  [3,  4,  5,  12,  15,  1,2],  The  system  subsumes  Hoare  logic 
and  is  deductively  complete  for  partial  correctness  over  relational  models  [14]. 

A  useful  feature  of  KAT  in  practical  verification  tasks  is  its  ability  to  accommodate 
basic  equational  hypotheses  regarding  the  interaction  of  atomic  instructions  and  tests. 
This  feature  makes  KAT  ideal  for  static  analysis  of  complicated  code  fragments  based  on 
the  behavior  of  their  atomic  parts. 


For  example,  consider  the  case  of  an  assertion  b  that  holds  at  some  point  in  a  program 
immediately  before  an  action  p,  and  suppose  we  know  that  the  execution  of  p  cannot  affect 
the  truth  of  b.  For  instance,  p  might  be  an  assignment  such  as  x  :=  3  and  b  might  be  a 
test  such  as  y  =  4  that  refers  to  a  different  variable.  In  KAT,  the  independence  of  p  and 
b  is  modeled  by  a  commutativity  condition  pb  =  bp,  which  is  typically  postulated  as  an 
assumption.  The  rules  of  equational  logic  allow  pb  to  be  substituted  for  bp  and  vice-versa; 
intuitively,  if  p  and  b  arc  adjacent  in  the  program,  they  can  exchange  positions. 

Similarly,  assertions  arising  from  the  execution  of  actions  can  be  introduced  and  elim¬ 
inated  as  needed  using  equational  assumptions  of  the  form  p  =  pc.  For  example,  if  p  is 
the  assignment  x  :=  3  and  c  is  the  assertion  x  =  3,  then  any  execution  of  p  causes  c  to 
hold  immediately  afterward.  Using  p  =  pc,  one  can  introduce  the  assertion  c  immediately 
following  any  occurrence  of  p  in  the  program,  then  move  it  around  using  commutativity 
conditions  as  described  in  the  preceding  paragraph.  If  an  occurrence  of  c  can  be  moved 
to  a  position  immediately  preceding  some  other  occurrence  of  p,  then  that  occurrence  of 
p  can  be  eliminated,  since  it  is  redundant:  if  x  already  has  the  value  3,  there  is  no  need 
to  assign  3  to  it  again.  Formally,  we  postulate  cp  =  c.  This  technique  is  useful  in  the 
verification  of  various  compiler  optimizations  that  eliminate  unnecessary  code,  such  as 
the  loading  of  a  register  with  a  constant  value  inside  a  loop.  See  [15]  for  many  examples 
of  this  type. 

In  such  proofs,  the  underlying  first-order  semantics  of  p  and  c  (i.e.,  that  p  is  x  :=  3 
and  c  is  x  =  3)  arc  used  to  establish  the  correctness  of  the  premises  p  =  pc  and  cp  =  c; 
but  once  this  is  done,  the  argument  reverts  to  purely  propositional  reasoning,  using  p  =  pc 
and  cp  =  c  as  equational  assumptions  without  reference  to  their  semantics. 

Much  attention  has  focused  on  the  equational  theory  of  KA  and  KAT.  The  axioms 
of  KAT  are  known  to  be  deductively  complete  for  the  equational  theory  of  language 
and  relational  models,  and  validity  is  decidable  in  PSPACE  [16,  6].  But  because  of  the 
practical  importance  of  premises,  it  is  the  universal  Horn  theory  that  is  of  more  interest; 
that  is,  the  set  of  valid  sentences  of  the  form 

Pi  =  qi  A  •  •  •  A  pn  =  qn  ->  p  =  q,  (1) 

where  the  atomic  symbols  are  implicitly  universally  quantified.  Typically,  the  premises 
Pi  =  qi  arc  assumptions  such  as  bp  =  pb,  p  =  pc,  and  cp  =  c  regarding  the  interaction 
of  atomic  programs  and  tests,  and  the  conclusion  p  =  q  represents  the  equivalence  of  the 
optimized  and  unoptimized  program.  The  necessary  premises  arc  obtained  by  inspection 
of  the  program  and  their  validity  may  depend  on  properties  of  the  domain  of  computation, 
but  they  arc  usually  quite  simple  and  easy  to  verify  by  inspection,  since  they  typically  only 
involve  atomic  programs  and  tests.  Once  the  premises  arc  established,  the  proof  of  (1)  is 
purely  propositional.  This  ability  to  introduce  premises  as  needed  is  one  of  the  features 
that  makes  KAT  so  versatile.  By  comparison.  Hoare  logic  has  only  the  assignment  rule, 
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which  is  much  more  limited.  In  addition,  this  style  of  reasoning  allows  a  clean  separation 
between  first-order  interpreted  reasoning  to  justify  the  premises  p  =  q\  A  •  •  •  A  pn  =  qn 
and  purely  propositional  reasoning  to  establish  that  the  conclusion  p  =  q  follows  from 
the  premises. 

Unfortunately,  the  Horn  theory  is  computationally  more  complex  than  the  equational 
theory.  The  general  Horn  theory  for  * -continuous  algebras  is  Hj  -complete.  Even  when 
the  premises  are  restricted  to  commutativity  conditions  of  the  form  pq  =  qp  for  atomic 
actions  p  and  q,  the  validity  problem  is  If,1 -com  pi  etc  [13]. 

However,  sometimes  the  validity  of  universal  Horn  formulas  with  premises  of  a  cer¬ 
tain  restricted  form  can  be  efficiently  reduced  to  the  equational  theory.  This  reduction 
is  known  as  elimination  of  hypotheses.  Cohen  [3]  was  the  first  to  identify  this  as  an  im¬ 
portant  issue.  He  showed  how  to  eliminate  hypotheses  of  the  form  q  =  0  in  KA;  thus 
the  Horn  theory  of  KA  with  premises  of  this  form  remains  decidable  in  PSPACE.  These 
results  were  generalized  to  KAT  in  [16].  This  is  good  news  for  many  of  the  program  veri¬ 
fication  tasks  mentioned  above,  since  in  many  cases  the  premises  are  of  this  form.  For  ex¬ 
ample,  the  commutativity  condition  bp  =  pb  is  equivalent  to  the  condition  bpb  +  bpb  =  0, 
and  the  condition  pc  =  p  is  equivalent  to  the  condition  pc  =  0.  All  partial  correctness 
assertions  of  Hoare  logic  are  of  this  form  as  well:  the  Hoare  partial  correctness  assertion 
{b}  p  {c}  is  equivalent  to  the  equation  bpc  =  0.  For  this  reason,  we  call  Horn  formulas 
with  premises  of  the  restricted  form  q  =  0  Hoare  formulas. 

The  general  question  thus  arises:  under  what  conditions  can  hypotheses  can  be  elim¬ 
inated?  In  other  words,  under  what  restrictions  on  the  premises  does  the  validity  of  Horn 
formulas  reduce  to  the  validity  of  equations?  Although  we  do  not  have  a  general  answer 
to  this  question,  we  can  extend  the  class  of  useful  premises  for  which  elimination  is  pos¬ 
sible:  we  show  in  this  paper  how  to  eliminate  hypotheses  of  the  form  cp  =  c  for  atomic 
p.  Equations  of  this  form  arc  not  equivalent  to  equations  of  the  form  q  =  0  in  general. 

Before  we  go  further,  there  arc  several  subtleties  in  the  question  itself  that  must  be  ad¬ 
dressed.  One  issue  is  that  unlike  the  equational  theory,  the  question  depends  on  the  class 
of  models  under  consideration.  In  order  of  increasing  restriction,  one  might  consider  va¬ 
lidity  over  unrestricted  (KAT),*-continuous  (KAT*),  or  relational  (REL)  Kleene  algebras 
with  tests.  The  equational  theories  of  all  these  classes  coincide  [16],  but  this  is  not  true 
of  their  Horn  theories.  The  Horn  theories  of  KAT  and  KAT*  must  differ,  since  the  for¬ 
mer  is  recursively  enumerable — it  is  defined  by  a  finite  quasiequational  axiomatization — 
whereas  the  latter  is  Hj  -complete  [13];  and  the  Horn  theories  of  KAT*  and  REL  differ, 
since  p  <  1  — »  p2  =  p  is  valid  in  all  relational  models,  but  not  in  all* -continuous  KATs; 
for  example,  not  in  the  min,+  algebra. 

The  results  of  [3,  16]  on  the  elimination  of  hypotheses  of  the  form  q  =  0  were  initially 
shown  to  hold  for  * -continuous  and  general  KA  and  KAT,  but  the  corresponding  result  for 
relational  models  does  not  follow  from  these  results  or  their  proofs.  This  was  a  subtle  but 
crucial  oversight,  since  in  programming  language  semantics,  it  is  the  relational  models 
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that  arc  of  primary  interest.  The  situation  was  rectified  in  [14],  where  it  was  established 
that  the  Hoare  theories  of  KAT,  KAT*,  and  REL  coincide,  and  that  the  same  reduction 
also  works  for  relational  models. 

Cohen  [3]  shows  also  that  hypotheses  of  the  form  p  <  1  can  be  eliminated,  provided 
p  contains  no  occurrence  of  a  composition  operator.  However,  this  result  is  more  prob¬ 
lematic.  His  reduction  is  valid  when  interpreted  over  the  classes  of  all  Kleene  algebras  or 
all  * -continuous  Kleene  algebras;  however,  it  fails  when  restricted  to  relational  models. 
In  fact,  an  example  formula  on  which  it  fails  is  the  formula  p  <  1  — >  j?  =  p  men¬ 
tioned  above.  Since  the  reduction  does  not  work  for  relational  models,  and  since  it  is  the 
relational  models  that  are  of  primary  interest  in  program  semantics,  the  situation  is  not 
completely  satisfactory. 

Another  issue  is  that  one  would  like  to  eliminate  hypotheses  of  the  form  p  <  1  or 
q  =  0  simultaneously.  Cohen  does  not  address  this  issue.  In  the  case  of  premises  of  the 
form  q  =  0,  it  is  easy  to  see  how  to  combine  several  of  them  into  one:  the  conjunction 
qi  =  0  A  •  •  •  A  qn  =  0  is  equivalent  to  the  single  equation  q±  +  •  •  •  +  qn  =  0.  A 
similar  construction  can  be  used  to  combine  several  premises  of  the  form  p  <  1  into  one. 
However,  it  is  not  immediately  clear  how  to  handle  both  forms  simultaneously. 

In  this  paper  we  consider  premises  of  the  form  cp  =  c  for  atomic  p.  The  utility 
of  such  premises  in  practical  verification  has  been  argued  above.  Such  equations  are 
not  equivalent  to  any  equation  of  the  form  q  =  0,  and  the  construction  we  use  is  quite 
different.  We  show  that  an  arbitrary  finite  set  of  premises  of  this  form  in  conjunction  with 
arbitrarily  many  premises  of  the  form  q  =  0  can  be  simultaneously  eliminated,  giving 
an  efficient  reduction  of  the  Horn  theory  with  premises  of  the  form  cp  =  c  for  atomic 
p  or  q  =  0  to  the  equational  theory.  Moreover,  this  result  holds  irrespective  of  whether 
the  class  of  interpretations  is  KAT,  KAT*,  or  REL;  that  is,  the  Horn  theories  of  these 
three  classes  of  models,  restricted  to  premises  of  the  form  cp  =  c  for  atomic  p  or  q  =  0, 
coincide.  Thus  the  Horn  theory  with  premises  of  this  form  remains  decidable  in  PSPACE. 

2  Preliminary  Definitions 

2.1  Kleene  Algebra 

Kleene  algebra  (KA)  is  the  algebra  of  regular  expressions  [10,  7],  The  axiomatization 
used  here  is  from  [11],  A  Kleene  algebra  is  an  algebraic  structure  (K,  +,  •,  *,  0,  1)  that 
is  an  idempotent  semiring  under  +,-,0,1  such  that  p* q  is  the  < -least  solution  to  q+px  < 
x  and  qp*  is  the  <-least  solution  to  q  +  xp  <  x,  where  <  refers  to  the  natural  partial  order 

def 

on  K:  p  <  q  <*=>•  p  +  q  =  q.  This  is  a  universal  Horn  axiomatization.  A  Kleene  algebra 
is  *  -continuous  if  it  satisfies  the  stronger  inti  nitary  property  pxf  r  =  sup  npqnr. 

The  axioms  for  *  say  essentially  that  *  behaves  like  the  Kleene  asterate  operator  of 
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formal  language  theory  or  the  reflexive  transitive  closure  operator  of  relational  algebra. 

Kleene  algebra  is  a  versatile  system  with  many  useful  interpretations.  Standard  mod¬ 
els  include  the  family  of  regular  sets  over  a  finite  alphabet;  the  family  of  binary  relations 
on  a  set;  and  the  family  of  n  x  n  matrices  over  another  Kleene  algebra.  Other  more  un¬ 
usual  interpretations  include  the  min,+  algebra,  also  known  as  the  tropical  semiring,  used 
in  shortest  path  algorithms,  and  models  consisting  of  convex  polyhedra  used  in  computa¬ 
tional  geometry. 

The  completeness  result  of  [11]  says  that  all  true  identities  between  regular  expres¬ 
sions  interpreted  as  regular  sets  of  strings  arc  derivable  from  the  axioms  of  Kleene  alge¬ 
bra.  In  other  words,  the  algebra  of  regular  sets  of  strings  over  the  finite  alphabet  P  is  the 
free  Kleene  algebra  on  generators  P.  The  axioms  are  also  complete  for  the  equational 
theory  of  relational  models. 

See  [11]  for  a  more  thorough  introduction. 

2.2  Kleene  Algebra  with  Tests 

Kleene  algebras  with  tests  (KAT)  were  introduced  in  [12].  We  give  a  brief  introduction 
here,  but  refer  the  reader  to  [12,  14,  17]  for  a  more  detailed  treatment. 

A  Kleene  algebra  with  tests  is  just  a  Kleene  algebra  with  an  embedded  Boolean  sub¬ 
algebra.  That  is,  it  is  a  two-sorted  structure 

(J\,  B,  +,  •,  *,  ,  0,  1) 


such  that 

•  {K,  0,  1)  is  a  Kleene  algebra, 

•  ( B ,  +,  •,  0,  1)  is  a  Boolean  algebra,  and 

•  B  C  K. 

The  Boolean  complementation  operator-  is  defined  only  on  B.  Elements  of  B  arc  called 
tests.  The  letters  p.  q,r,s, . . .  denote  arbitrary  elements  of  K  and  a,b,c, . . .  denote  tests. 
The  encoding  of  the  while  program  constructs  is  as  in  propositional  Dynamic  Logic 

[8]: 


p ; 

<7 

def 

pq 

if  b  then  p  else 

<7 

def 

bp  +  bq 

while  b  do 

P 

def 

( bp)*b . 
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The  Hoarc  partial  correctness  assertion  {b}p{c}  is  expressed  as  an  equation  bpc  =  0, 
or  equivalently,  bp  =  bpc.  All  Hoare  rules  arc  derivable  in  KAT ;  indeed,  KAT  is  de¬ 
ductively  complete  for  relationally  valid  propositional  Hoare-style  rules  involving  partial 
correctness  assertions  [14]  (propositional  Hoarc  logic  is  not). 

Let  P  and  B  be  disjoint  sets  of  symbols  called  the  atomic  actions  and  atomic  tests , 
respectively.  We  denote  by  RExpP  B  the  set  of  terms  of  the  language  of  KAT  over  P  and 
B.  A  test  over  B  is  just  a  Boolean  combination  of  elements  of  B.  The  set  of  tests  over  B 
is  denoted  BooIb- 

Lemma  2.1  The  following  are  equivalent  in  KAT: 

(i)  cp  =  c 

(ii)  cp  +  c  =  1 

(iii)  p  =cp  +  c. 

Proof.  For  (i)  — >  (ii),  replace  cp  by  c  on  the  left-hand  side  of  (ii)  and  use  the  Boolean 
algebra  axiom  c  +  c  =  1.  For  (i)  — >  (iii),  replace  c  by  cp  on  the  right-hand  side  of  (iii)  and 
use  distributivity  and  the  Boolean  algebra  axiom  c  +7:  =  1.  For  (ii)  — » (i)  and  (iii)  — >  (i), 
multiply  both  sides  of  (ii)  or  (iii)  on  the  left  by  c  and  use  distributivity  and  the  Boolean 
algebra  axioms  cc  =  0  and  cc  =  c.  □ 

We  write  KAT  1=  ip  (respectively,  KAT*  1=  <p)  if  ip  holds  under  all  interpretations  over 
Kleene  algebras  with  tests  (respectively,  * -continuous  Kleene  algebras  with  tests). 

2.3  Kripke  Frames 

For  applications  in  program  verification,  we  usually  interpret  programs  and  tests  either  as 
sets  of  traces  or  as  binary  relations  on  a  set  of  states.  Both  these  classes  of  algebras  arc 
defined  in  terms  of  Kripke  frames.  A  Kripke  frame  over  a  set  of  atomic  programs  P  and  a 
set  of  atomic  tests  B  is  a  structure  (K.  m k),  where  K  is  a  set  of  states,  m/c  :  P  — ►  2Kx  K , 
and  niA'  :  B  — >  2K . 

2.4  Relational  Models 

The  set  of  all  binary  relations  on  a  Kripke  frame  K  forms  a  KAT  under  the  standard 
binary  relation-theoretic  interpretation  of  the  KAT  operators.  The  operator  •  is  interpreted 
as  relational  composition,  +  as  union,  0  and  1  as  the  empty  relation  and  the  identity 
relation  on  K,  respectively,  and  *  as  reflexive  transitive  closure.  The  Boolean  elements 
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arc  subsets  of  the  identity  relation.  One  can  define  a  canonical  interpretation  [  ]k  : 
RExpp  B  -»•  2KxK  by 

[phc  =f  mK(p),  p£  P  [b]Kd=  {{u,u)  \uemK{b)},  be  B, 

extended  homomorphic  ally.  A  binary  relation  is  regular  if  it  is  [jj]k  for  some  p  e 
RExpp  B.  The  relational  algebra  consisting  of  all  regular  binary  relations  on  K  is  denoted 
Relif. 

We  write  Rel «  1=  <p  if  the  formula  ip  is  true  in  this  model  under  the  canonical  inter¬ 
pretation  [  ] k,  and  we  write  REL  1=  p  if  p  is  true  under  all  such  interpretations.  If  p 
is  a  single  equation,  we  can  omit  KAT,  KAT*,  or  REL  before  the  symbol  K  since  these 
classes  of  algebras  arc  known  to  have  the  same  equational  theory  [16]. 

2.5  Trace  Models 

A  trace  in  a  Kripke  frame  K  is  a  sequence  vqPqu  \  ■  ■  ■  un-\pn-\un,  where  n  >  0,  ip  e 
K,  pi  e  P,  and  (in,Ui+ 1)  €  m k(Pi)  for  0  <  i  <  n  —  1.  The  set  of  all  traces  in  K  is 
denoted  Traces^'-  We  denote  traces  by  a,  r, ...  .  The  first  and  last  states  of  a  trace  a  arc 
denoted  first (<r)  and  last(u),  respectively.  If  last (rj)  =  first(r),  we  can  fuse  cr  and  t  to 
get  the  trace  err. 

The  powerset  of  Traces k  forms  a  KAT  in  which  +  is  interpreted  as  set  union,  •  as  the 
operation 

AB  =f  {ctt  \  a  e  A,  t  e  B,  last(u)  =  first(r)}, 

0  and  1  as  0  and  K,  respectively,  and  A*  as  the  union  of  all  finite  powers  of  A.  The 
Boolean  elements  are  the  subsets  of  I\,  the  sets  of  traces  of  length  0.  A  canonical  inter¬ 
pretation  [[  ]]  k  for  KAT  expressions  over  P  and  B  is  given  by 

[IpHk  '=  {upv  |  (u,v)  e  itia'(p)},  peP  [[6]]*-  ‘=  iha'(&),  be  B, 

extended  homomorphic  ally.  A  set  of  traces  is  regular  if  it  is  [[/>]] /c  for  some  KAT  ex¬ 
pression  p.  The  subalgebra  of  all  regular  sets  of  traces  of  K  is  denoted  Trfc. 

A  homomorphism  involving  trace  or  relation  algebras  on  Kripke  frames  over  P,  B  is 
canonical  if  it  commutes  with  the  canonical  interpretations  [[  ]]/{  or  [  ]  k-  For  example, 
the  map  Ext  (A)  =  {(first(cr),  last(cr))  cr  e  ,4}  is  a  canonical  homomorphism  Tr k 
RelA',  since  Ext(  [[p]]A')  =  Wk  for  all  p  e  RExpP  B. 

2.6  Guarded  Strings 

When  B  is  finite,  a  language-theoretic  interpretation  is  given  by  the  algebra  of  regular 
sets  of  guarded  strings  [9,  16].  Let  Atomse  denote  the  set  of  atoms  (minimal  nonzero 
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elements)  of  the  free  Boolean  algebra  generated  by  B.  We  use  the  symbols  a.,/3, ... 
exclusively  for  atoms.  For  an  atom  a  and  a  test  b,  we  write  a  <6  if  a— >6  is  a 
propositional  tautology. 

A  guarded  string  over  P,  B  is  a  trace  in  the  Kripke  frame  G  whose  states  are  Atorn^ 
and 

def 

mc(p)  =  Atomse  x  AtomsB,  p  €  P 
mc(b)  =  {«  €  AtomsB  |  a  <  b},  be  B. 

Thus  a  guarded  string  is  just  a  sequence  aopoai  ■  ■  ■  an-\pn-\an,  where  the  on  6  AtomsB 
and  pi  e  P,  and  Traces^  is  the  set  of  all  guarded  strings  over  P,  B.  Each  KAT  term 
p  e  RExpp  B  denotes  a  set  [[p]] q  of  guarded  strings  under  the  canonical  interpreta¬ 
tion  defined  in  Section  2.5.  A  guarded  string  cr  is  itself  a  member  of  RExpp  B,  and 
MG  =  {a}. 

The  trace  algebra  T q;  of  regular  sets  of  guarded  strings  over  P,  B  forms  the  free 
Kleene  algebra  with  tests  on  generators  P,  B;  in  other  words,  [[pile  =  U^Dg  iff  P  =  q 
is  a  theorem  of  KAT  [16]. 

3  Main  Results 

In  this  section  we  show  how  to  eliminate  hypotheses  of  the  form  cp  =  c  for  atomic  p. 
Before  we  do  this,  we  argue  that  this  result  does  not  follow  from  any  previously  known 
results  on  the  elimination  of  hypotheses. 

Theorem  3.1  Let  p  be  an  atomic  action  and  c  a  test  that  does  not  vanish  tautologically. 
The  equation  cp  =  c  is  not  equivalent  to  any  inequality  of  the  form  x  <  a  for  a  test  a. 
In  particular,  cp  =  c  is  not  equivalent  to  x  <  1  or  x  =  0.  Moreover,  this  holds  even 
restricted  to  relational  models. 

Proof.  Let  a  be  a  test.  Suppose  for  a  contradiction  that 

REL  1=  cp  =  c  <->  x  <  a.  (2) 

Let  P  and  B  be  the  sets  of  all  atomic  actions  and  tests,  respectively,  occurring  in  (2).  Let 
u  be  the  universal  expression  (f2qep  q)*.  We  claim  first  that 

1=  x  <  uc(^2  bpb  +  bpb)u  +  aua.  (3) 

fee  B 

Let  [[  ]]g  be  the  canonical  interpretation  RExpp  B  — >  Tr^.  Let 
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aoPoai  ’  ’  ’  &n—  lPn—  l&n 


be  an  arbitrary  guarded  string  in  [[x]]G.  Suppose  that 


O'  0  [[uc(J2b£BbPb+bPb)u^G-  (4) 

Then  for  all  i  in  the  range  0  <  i  <  n  —  1,  W  p,  =  p  and  ag  <  c,  then  at  =  ag+ Let 
(K.  m k )  be  a  Kripke  frame  with 

K  =f  Atomse, 

m x{b)  '=  {cr  |  a  <  b},  b  £  B, 

def 

mA'(p)  =  {(a, a)  |  a  <  c}  U  {(a,/?)  |  a  <  c,  (3  £  Atomse} 

def 

mR :(q)  =  {(a,  (3)  |  a,  (3  £  AtomsB},  q&P-q^P- 

In  this  Kripke  frame,  for  any  i, 

•  if  pi  =  p  and  ag  <  c,  then  ag  =  al+i,  therefore  {on,  ai+ 1)  £  [pJat; 

•  if  pi  =  p  and  on  <  c,  or  if  pi  /  p,  then  (a*,  ay+i)  £  [pd  a'- 

Thus  in  any  case,  (on,  ag+i)  £  IpJa'-  Moreover,  [a*] k  =  {(«i,  a*)}-  Thus 

[cr]A'  =  [a0]AT  0  Ipohc  °  [atlA-  0  •  •  ■  °  [an-i]K  0  [Pn-ihc  0  [an]if 
=  {  (  ®  0 1  )  }  • 

Also,  [c] a'  =  {(a,  a)  |  a  £  m^(c)}  =  {(a,  a)  |  a  <  c}  and  [p]x  =  ^k(p),  therefore 
[ CP  1 K  =  [C]K0  [p] AT 

=  {(«,  a)  |  a  <  c}  o  ({(a,  a)  |  a  <  c}  U  {{a,  (3)  \  a  <  c,  (3  £  Atomse}) 

=  {(cr,  a)  |  a  <  c} 

=  [c]K, 

thus  RELa'  1=  cp  =  c.  Using  (2)  in  the  direction  — we  have  RELa'  I =  x  <  a.  Since 
a  <  x,  RELa'  1=  a  <  a  as  well,  thus  [ct] at  =  {(ao,an)}  Q  [n]  a'  =  {(«,«)  |  cr  <  a}, 
therefore  op  =  an  and  «o  <  «■  This  says  that 

0-  £  [[  J2a<aaua^G  Q  [[aua]]G.  (5) 

We  have  derived  (5)  under  the  assumption  (4)  for  arbitrary  cr  £  [[x]]G,  thus 

D>]]G  Q  [[uc(J2beBbpb +  bpb)u  +  aua]]c- 

By  the  completeness  of  KAT  over  the  guarded  string  model  [16],  we  have  (3). 
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Now  it  follows  from  (3)  that 

1=  uc(^2  bpb  +  bpb)u  +  aua  <  a  —>  x  <  a, 
be  B 

and  combining  this  with  (2)  in  the  direction  ,  we  have 

REL  b  uc(^2  bpb  +  bpb)u  +  aua  <  a  — >  cp  =  c. 

be  B 

But  then  this  should  hold  even  under  interpretations  that  assign  0  to  each  atomic  action, 
thus 

REL  1=  0  +  a<a  — >  0  =  c, 

which  implies  that  1=  0  =  c,  contradicting  the  assumption  that  c  is  not  tautologically  false. 

□ 


The  following  is  our  main  theorem. 

Theorem  3.2  Let  s\, . . .  ,sm  G  RExpP  B,  ci, . . . , cn  G  BooIb,  n, . . . , rn  G  P  U  BooIb, 
and  p.  q  G  RExpP  B.  There  exist  p.  q  G  RExpP  B  such  that  the  following  are  equivalent: 

(i)  KAT  1=  AI=0  si  =  0  A  A"=o  °iri  =  Q  -»•  P  =  q 

(ii)  KAT*  1=  AI=o  si  =  0  A  A"=o  c*r*  =  Q  p  =  q 

(iii)  REL  1=  f\r’f0  Si  =  0  A  AAo  ciri  =  Ci  ->  p  =  q 

(iv)  I =  p  =  q. 

Furthermore,  p  and  q  can  be  calculated  from  si, . . . ,  sm,  ci, . . . ,  cn,  r\, . . . ,  rn,  p,  and  q 
in  PTIME,  and  any  one  of  (i)-(iv)  can  be  decided  in  PS  PACE. 

The  remainder  of  this  paper  is  devoted  to  the  proof  of  Theorem  3.2.  First  we  make 
some  simplifications. 

As  noted  above,  the  conjunction  si  =  0  A  •  •  •  A  sm  =  0  is  equivalent  to  the  single 
equation  si  +  •  •  •  +  sm  =  0.  Thus  we  can  assume  without  loss  of  generality  that  m  =  1. 

We  can  also  assume  that  all  the  r,  arc  in  P,  since  if  r,  is  a  test,  we  can  replace  the 
premise  c,;r,  =  c,  with  the  equivalent  premise  qfi  =  0,  which  we  can  handle  along  with 
the  other  premises  st  =  0. 

Finally,  we  can  assume  without  loss  of  generality  that  the  rt  arc  distinct.  For  c,  d  G 
BooIb  and  r  G  RExpP  B,  we  claim  that 

b  cr  =  c  A  dr  =  d  (c  +  d)r  =  c  +  d. 
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If  (c  +  d)r  =  c  +  d,  then  multiplying  both  sides  on  the  left  by  c  and  using  Boolean 
algebra,  we  get  cr  =  c.  We  can  obtain  dr  =  d  similarly.  Conversely,  if  cr  =  c  and 
dr  =  d,  then  (c  +  d)r  =  cr  +  dr  =  c  +  d.  Thus,  whenever  ry  =  ry  with  i  /  j,  we 
can  replace  the  hypotheses  qr,  =  c,  and  Cjrj  =  Cj  with  the  single  equivalent  hypothesis 
(cj  +  Cj)ri  =  ( Ci  +  cj),  repeating  as  necessary  until  all  the  rt  arc  distinct. 

Henceforth,  we  fix  the  c,  and  r,,  fix  s  =  s\,  and  make  the  additional  assumptions 
that  m  =  1  and  the  rt  arc  all  in  P  and  distinct.  As  argued  above,  these  assumptions  are 
without  loss  of  generality.  Our  proof  for  this  special  case  constructs  a  relational  model 
whose  states  arc  certain  guarded  strings,  but  we  develop  some  theory  first. 

For  t,e i, . . . ,  efc  G  RExpP  B  and  pi,...,pk  G  P,  let  t[pi/ei, . . .  ,pk/ek]  denote  the 
result  of  simultaneously  substituting  e,  for  each  occurrence  of  pi  in  t,  1  <  i  <  k.  We  arc 
particularly  interested  in  the  substitution 

H(t)  =f  t[ri/ciri  +  ci, . . . ,  rn/cnrn  +  cn\. 

The  substitutions  can  be  performed  simultaneously  or  sequentially,  and  the  order  does  not 
matter,  since  r,  does  not  occur  in  Tijrj  +  Cj  for  i  /  j.  This  particular-  substitution  is  of 
interest  because  cyr,  =  c,  is  K AT-equivalent  to  rr  =  cyr,  +  c?,  as  shown  in  Lemma  2.1. 

Another  vital  fact  is  that  performing  the  substitution  H  once  is  equivalent  to  perform¬ 
ing  it  any  number  of  times;  that  is,  I =  H(H (t))  =  H (t).  To  see  this,  observe  that 

(Cin  +  C^ln/Ciri  +  Ci}  =  Ci(cin  +  a)  +  a  =  cic^n  +  cm  +  <*  =  cm  +  Ci. 

The  map  H  is  a  syntactic  homomorphism  RExpP  B  — y  RExpP  B.  We  now  indicate 
how  this  homomorphism  is  reflected  semantically  in  trace  models.  For  this  purpose,  we 
define  a  rewrite  relation  [>  on  traces  of  a  Kripke  frame  ( K.  m/c ).  The  relation  [>  consists 
of  n  rules 


sriS  O  s  provided  s  G  [[q]]a', 

one  rule  for  each  1  <  i  <  n.  These  rules  may  be  applied  to  any  subtrace  of  a  trace. 
Thus  any  trace  ot;t  can  be  rewritten  to  err  whenever  last(cr)  =  first(r)  G  [[q]]at- 
Every  > -reduction  yields  a  shorter  trace,  and  O  is  easily  seen  to  be  Church-Rosser,  so 
every  trace  a  has  a  unique  o-normal  form,  which  we  denote  by  Nk(<j).  If  X  is  a  set  of 

traces  of  K,  let  Nk(X)  =  {Nk{ct)  \  o-  G  X}.  Note  that  Nk(Nk(<t))  =  Nk(ct)  and 
Nk{&t)  =  Nk{ct)Nk{t).  Also, 

Nk(XY )  =  {Nk{(tt)  \  aeX,  reY} 

=  {Nk(ct)Nk(t)  |  aeX,reY} 

=  Nk{X)Nk{Y). 
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Let  u  be  the  universal  term  u  =  Q^ggp  <?)*•  Then  [[u]]k  =  Traces^.  Define 

C  =f  [[u(J2iCiri)u)]]  K,  (6) 

the  set  of  all  traces  of  the  form  •  •  •  srt  ■  •  ■  with  s  G  [[  c,  ]]  k  for  some  i.  Note  that  err  G  C 

Hp  f 

iff  a  G  C  or  r  G  C.  For  X  C  Traces^',  define  /i(X)  =  Nk{X)  —  C. 


Lemma  3.3  77?e  set  {Nk{X)  —  C  \  X  C  Traces^'}  /s  a  Kleene  algebra  with  tests  under 
the  usual  interpretation  of  the  operators  on  sets  of  traces,  and  h  is  a  KAT  homomorphism. 
Moreover,  for  all  t  G  RExpP  B,  [[H(t)]]K  =  h(  [[f]]  k);  in  other  words,  the  following 
diagram  commutes: 


RExpp  B- 

H 

RExpP;B- 


[[  ]] 


K 


[[  ]] 


K 


-Tr  K 
h 
-JrK 


Proof  It  is  easily  checked  that  the  family  of  sets  of  the  form  Nk(X)  —  C  for  X  C 
Traces^'  is  closed  under  the  usual  KAT  operations  on  sets  of  traces  and  that  h  :  X  t—> 
Nk{X)  —  C  is  a  homomorphism.  Specifically,  for  any  sets  X ,  Y,  Xr  of  traces  in  K  and 
any  set  B  C  K, 


NkUX^-C 
Nk(XY)  -  c 
Nk(X *)  -  c 
Nk{<2)  -  C 
Nk(K)  -  c 
Nk(K  -B)-C 


Ui  (NK(Xi)  -  C ) 

(Nk(X)  -  C)(Nk(Y)  -  C) 
(NK(X)  -  cf 
0 
K 

K  —  (Nk(B)  —  C). 


To  show  that  [[H(t)]\K  =  h(  [[/:]]  k)  for  all  t  G  RExpP  B,  since  all  maps  in  question  arc 
homomorphisms,  it  is  enough  to  show  it  for  atomic  p  and  b.  For  r„ 


[[H(n)]]  K 


[[cin  +  Ci  ]]K 

[[CiVi]]K  u  [[cJIa' 

{sriv  |  s  G  [[ Cj ]]  at }  U  {s  |  s  G  ttc*]]  at} 
{NK(sriv)  |  NK(sriV )  0  C } 

Nk{  [Id  ]]  a')  -  C. 


For  p  f  rt  for  any  i,  since  elements  of  [[p]\  a  have  no  [>  redexes, 


[[H(p)]]K  =  [[p]]K  =  NK([[p]]K)  =  NK([[p]]K)-C. 
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The  case  for  tests  is  similar,  since  traces  of  length  0  arc  single  states,  therefore  have  no 
O-redexes.  □ 

Lemma  3.4  Let  n, . . . ,  rn  be  distinct  elements  ofP,ci,...,cn  tests,  and  s,p,  q  £  RExpP  B. 

The  following  are  equivalent: 

(i)  KAT  1=  s  =  0  A  ALi  Wi  =  Ci  -v  p  =  q 

(ii)  KAT*  1=  s  =  0  A  ALi  ciri  =  ->  p  =  q 

(hi)  REL  1=  s  =  0  A  AAi  ciri  =  ci  P  =  Q 
(iv)  1 =  H(p  +  usu )  =  H  (q  +  usu). 

Proof.  The  implications  (i)  =>  (ii)  (iii)  are  trivial,  since  REL  C  KAT*  C  KAT. 

To  show  (iii)  (iv),  we  construct  a  Kripke  frame  It  with  associated  relational  model 
Relfl  on  the  set  of  states 

Hof 

S  =  TracesG  -  (A^G(  [[nswlc)  U  C). 

Note  that  for  any  arp  £  TracesG,  if  r  £  iVG(  [[rrsn]]  G)  U  C,  then  crrp  £  iVG(  [[nsrt  ]]  g)  U 
C,  so  any  subtrace  of  a  trace  in  S  is  also  in  S.  Moreover,  any  string  with  a  O-redex  is  in 
C,  so  every  element  of  S  is  in  > -normal  form. 

Atomic  symbols  are  interpreted  in  R  as  follows: 

m r(p)  =  {( a,aNG(ap/3 ))  |  crNG(ap(3)  £  5},  p  £  P 

m n{b)  {rr  £  S  |  last(cr)  <  b},  b  £  B. 

We  now  show  that  for  all  t  £  RExpP  B, 

[t]R  =  {(<J,<Jt)  |  <7T  £  S,  T  £  Nq(  [[f ]]G)}  (7) 

by  induction  on  the  structure  of  t.  For  p  £  P  and  b  £  B, 

=  {(Gr,crNG(apf3))  |  aNG(apf3 )  £  S} 

=  {((7,  GT )  |  GT  £  S,  T  £  NG(mG(p))} 

=  {(G,GT)  \  GT  £  S,  T  £  NG([[p]]G)}, 

Wr  =  { (cr,  g)  |  g  £  S,  last(cr)  <  b} 

=  {(g,g)  I  G  £  S,  last  (a)  £  [{b]]G} 

=  {((7,  gt )  \gt  £  S,  T  £  Ng(  [[6]]g)}- 
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For  the  constants  0  and  1 ,  we  have 

10] r  =  0  =  {(cr,err)  |  err  G  S,  t  G  Ng(  [[0]]g)} 

[Hr  =  {(cr,  a)  |  a  G  5}  =  {(a,  err)  |  err  G  S,  r  G  NG(  [[1]]G)}. 

For  compound  expressions, 

[it  +  h]R 

=  U  [t2  ]r 

=  {{a,  err)  \  a t  <E  S,  t  £  NG(  [[ti]] g)}  U  {(a,  err)  |  err  G  S,  r  G  NG(  [[^2 1 g)} 

=  {(er,  err)  |  err  G  S',  r  G  iVG(  [[ti]]G)  U  NG(  [[t2]]G)} 

=  {(cr,  err)  |  err  €  S,  r  6  NG(  [[ti  +  t2]]G)}, 


[tlt2 ] R  =  [illi?  °  [t2]R 

=  {(cr,  arp)  I  (cr,  err)  G  Ui  ]  r  A  (err,  errp)  G  [ £21r} 

=  {(a,  arp)  \  arp  G  S,  r  G  iVG(  [[*i]]G),  p  G  iVG(  [[t2]]G)} 

=  {(a,  av)  |  aveS,  ve  NG(  [[ti]]G)NG(  [[£2Ig)}  taking  v  =  rp 
=  {( a,  av )  |  ere;  G  5,  v  G  iVG(  [[M2]]g)}, 

[**]*  =  U 

n 

=  lj{(cr,  err )  |  err  G  5,  r  G  NG(  [[tn]]G)| 

n 

=  {(a,  err)  |  err  G  S,  r  G  NG(  [[f*]]G)}, 

[blR  =  lblR 

=  {(cr,  er)  |  cr  G  S'}  —  {(a,  err)  |  err  G  S,  r  G  iVG(  [[6]] G)} 

=  {(cr,  cr)  I  cr  G  S}  -  {(cr,  er)  \  er  G  S,  last  (cr)  G  [[6]]G| 

=  {(cr,  cr)  |  er  G  S,  last  (cr)  G  [[h]]G} 

=  {(cr,  err)  |  err  G  S,  r  G  iVG(  [[6]] G)}- 

It  follows  from  (7)  that  [t\  ]  R  =  [t2]fl  iff  ^g(  [[^iIg)  C  S  =  NG(  [[ i2 ]] g)  C  S. 
The  direction  -4=  is  clear.  Conversely,  if  [£]  ]  r  =  [t->]  r,  then 

Ng(  [[ii ]] G)  n  S  =  {t  I  (first(r),r)  G  lh]R}  by  (7) 

=  {r  |  (first (r),r)  G  [£2]r} 

=  Ng(  [[^2  ]]  g)  Cl  S. 
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Now  for  1  <  i  <  n,  observe  that  Nq(  l[cirt]]G)  fl  S  =  NG(  [[c,]]  g)  fl  S  by 
considering  the  two  types  of  strings  in  [[qr*]]  G,  namely  orya  and  ary/3  for  atoms  a  <  cy 
and  (3  ^  a.  The  former  reduce  to  a  €  [[ c,  ]]  G  under  >,  and  the  latter  arc  in  >-normal 
form  but  not  in  S.  It  follows  that  [qry]  r  =  Ly  ]  r. 

Moreover,  NG(  [[s]]g)  n  S  C  NG(  [[usuUg)  (~l  5  =  0  =  Nq{  [[0]]g)  H  S,  so 
[s]r=  [0]r. 

We  have  shown  that 

n 

Rein  1=  s  =  0  A  clrl  =  a, 

i=  1 

therefore  Rel/,>  satisfies  all  the  premises  of  (iii)  in  the  statement  of  the  lemma.  It  follows 
from  (iii)  that  [p]R  =  [q]R,  from  which  we  can  conclude 

NG([[p]]G)nS  =  NG([[q]]G)nS.  (8) 

But 

[[H(p  +  usu)]]g  =  h(  [[p  +  usu]] g)  by  Lemma  3.3 
=  {NG([[p]]G)  U  Ng{[[usu]]g))  -C 
=  (Ng(  [[pile)  -  C  -  Ng(  [[rtsullc))  u  (Ng(  [[usuIg)  ~  C ) 
=  (Ng(  [lpl\G)  n  S)  U  (Ng(  [[nsrr]]G)  -  C), 

and  similarly  [[H(q  +  usu)  ]] G  =  {NG(  [[(?]]  g)  H  S)  U  (Ng(  [[msm]]g)  —  C),  therefore 
by  (8),  [[H(p+  usu) ]] q  =  [[H(q  +  itsw)]]G-  Since  TrG  is  the  free  KAT  on  generators 
P,  B  [16],  we  have  I =  H(p  +  usu)  =  H(q  +  usu).  This  completes  the  proof  of  (iii)  =>• 
(iv). 

Finally,  to  show  (iv)  =>  (i),  suppose  I =  H(p  +  usu)  =  H(q  +  usu).  Let  I  be  an 
arbitrary  interpretation  over  a  Kleene  algebra  with  tests  K  such  that 

n 

K,  I  l=  s  =  o  a  f\cin  =  a. 

i= 0 

By  Lemma  2.1, 

n 

K,I  N  f\ri  =  ciri  +  ci, 
i= 0 

so  K,I  1=  H(t)  =  t  for  any  t  €  RExpP  B.  Thus  the  following  equations  all  hold  under 
the  interpretation  I : 

p  =  p  +  usu  =  H(p  +  usu)  =  H(q  +  usu)  =  q  +  usu  =  q. 

Thus  K.  I  satisfies  the  Horn  formula  of  (i).  Since  K  and  I  were  arbirtrary,  this  formula 
holds  in  all  Kleene  algebras  with  tests.  □ 


15 


We  have  proved  Theorem  3.2  except  for  the  complexity  argument.  The  above  trans¬ 
formation  of  our  hypotheses  can  clearly  be  done  in  PTIME.  In  general,  sequences  of 
substitutions  can  cause  exponential  blowup  in  term  size;  for  example, 

oi[oi/ai][a2/o§]  •  •  •  [aj/a2j+1\  =  af+1. 

However,  this  cannot  occur  in  our  case  because  r%  does  not  appeal-  in  Cjfj  +  c}  for  i  /  j, 
and  otherwise  it  is  clear  that  the  calculation  of  p  =  H(p  +  usu )  and  q  =  H(q  +  usu)  is 
in  PTIME.  Note  that  this  is  relative  to  si, . . . ,  sm,  c\, , . .  ,cn,  r\, . . .  ,rn,  p,  q,  and  P.  We 
must  know  P  for  the  “+  usu”  paid  of  H (p  +  usu)  and  H(q  +  usu). 

In  [6],  it  is  shown  that  the  equational  theory  of  KAT  is  decidable  in  PSPACE.  Because 
p.  q  can  be  calculated  in  PTIME ,  (i)-(iii)  are  decidable  in  PSPACE  as  well. 
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